Hi timestamp of data that send via logstash change when store in splunk index. what is the reason?
index="influx2splunk" | spath input=_raw | table time _time @timestamp _raw
time _time @timestamp 2023-06-15T06:06:55Z 2023-06-15 05:06:55 2023-06-15T01:36:55.000Z 2023-06-15T06:06:55Z 2023-06-15T01:36:55.000Z
here is the _raw data that get from logstash:
{"usage_irq":0,"usage_user":4.373757455295997,"results":{"statement_id":0},"@version":"1","@timestamp":"2023-06-15T01:36:55.000Z","usage_guest":0,"cpu":"cpu20","usage_iowait":0,"usage_softirq":0.39761431396001656,"http_poller_metadata":{"input":{"http_poller":{"response":{"status_code":200,"status_message":"OK","headers":{"date":"Sat, 17 Jun 2023 06:05:47 GMT","x-influxdb-build":"OSS","x-influxdb-version":"1.7.8","transfer-encoding":"chunked","x-request-id":"00a6ba2f-0cd5-11ee-981b-005056b7dda2","content-type":"application/json","request-id":"00a6ba2f-0cd5-11ee-981b-005056b7dda2"},"elapsed_time_ns":797045},"request":{"name":"cpu","original":{"url":"https://192.168.1.1:8086/query?pretty=true&db=mydb&q=myquery","headers":{"Authorization":"Token mytoken"},"method":"get"},"retry_count":0,"host":{"hostname":"srv"}}}}},"usage_idle":92.04771372774293,"usage_system":3.1809145128373424,"usage_steal":0,"time":"2023-06-15T06:06:55Z","name":"cpu","usage_nice":0,"usage_guest_nice":0}
logstash config:
filter { split { field => "results" }
split { field => "[results][series]" }
split { field => "[results][series][values]" }
mutate { rename => { "[results][series]" => "series" } }
mutate { rename => { "[series][name]" => "name" } }
ruby { code => 'series = event.get("series"); series["columns"].each_with_index {|val, index| event.set(val, event.get("[series][values][" + index.to_s() + "]"))}' }
date { match => ["time", "yyyy-MM-dd'T'HH:mm:ss:SSS'Z"] target => "_time"
}
prune { blacklist_names => [ "event", "host", "series" ] }
}
Any idea?
Thanks
... View more